* [PATCH] Provide a SECURITY.md for glibc.
@ 2023-02-22 17:19 Carlos O'Donell
2023-02-23 11:44 ` Florian Weimer
0 siblings, 1 reply; 5+ messages in thread
From: Carlos O'Donell @ 2023-02-22 17:19 UTC (permalink / raw)
To: libc-alpha, fweimer; +Cc: Carlos O'Donell
Upstrem scanners will look for a SECURITY.md to determine if the
project has a security process. In 2014 glibc adopted a public
security process that we document on the wiki here:
https://sourceware.org/glibc/wiki/Security%20Process
This creates a SECURITY.md file that points directly at the security
process in the wiki and indicates that glibc has a policy.
---
SECURITY.md | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..579df63a7b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,4 @@
+# Security Process
+
+For the GNU C Library please use the following documented security process:
+[Security Process](https://sourceware.org/glibc/wiki/Security%20Process).
--
2.39.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Provide a SECURITY.md for glibc.
2023-02-22 17:19 [PATCH] Provide a SECURITY.md for glibc Carlos O'Donell
@ 2023-02-23 11:44 ` Florian Weimer
2023-02-23 19:15 ` Carlos O'Donell
0 siblings, 1 reply; 5+ messages in thread
From: Florian Weimer @ 2023-02-23 11:44 UTC (permalink / raw)
To: Carlos O'Donell; +Cc: libc-alpha
* Carlos O'Donell:
> Upstrem scanners will look for a SECURITY.md to determine if the
What's an “upstream scanner”? How do these scanners discover Sourceware
Git repositories?
Thanks,
Florian
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Provide a SECURITY.md for glibc.
2023-02-23 11:44 ` Florian Weimer
@ 2023-02-23 19:15 ` Carlos O'Donell
2023-03-27 13:18 ` Siddhesh Poyarekar
0 siblings, 1 reply; 5+ messages in thread
From: Carlos O'Donell @ 2023-02-23 19:15 UTC (permalink / raw)
To: Florian Weimer; +Cc: libc-alpha
On 2/23/23 06:44, Florian Weimer wrote:
> * Carlos O'Donell:
>
>> Upstrem scanners will look for a SECURITY.md to determine if the
>
> What's an “upstream scanner”? How do these scanners discover Sourceware
> Git repositories?
(1) What is an upstream scanner?
Typo s/Upstrem/Upstream/g.
When I wrote "Upstream scanners" I meant tooling being used by projects to scan the
set of dependencies on the project to see if they met a given security policy.
Such a security policy might be: "All projects included in a product must have a
security reporting policy."
(2) How do these scanners discover Sourceware Git repositories?
They don't.
Either the scanners scan a tarball or...
Either glibc forks in gitlab and github are used by other projects and those
respositories are scanned by scanners that look at github sources.
There are 1000+ repositories in github with glibc in the name, mostly forks for
specific projects.
Github itself can be configured with a security policy around this topic:
https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
It would therefore be useful to make sure that for projects including glibc to
be able to determine, easily, how to submit security issues.
Does that answer your questions?
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-04-05 19:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-22 17:19 [PATCH] Provide a SECURITY.md for glibc Carlos O'Donell
2023-02-23 11:44 ` Florian Weimer
2023-02-23 19:15 ` Carlos O'Donell
2023-03-27 13:18 ` Siddhesh Poyarekar
2023-04-05 19:24 ` Siddhesh Poyarekar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).